FINAL REPORT 

Support to X-33/Resusable Launch Vehicle technology 

Program 

X-33 GN&C Initial Mission Success Team 
Reference: Purchase order # H-29854D 

Lee & Associates, LLC 


December 5, 2000 


1. Overview 

The X-33 Guidance, Navigation, and Control (GN&C) Peer Review Team (PRT) was formed 
to assess the integrated X-33 vehicle GN&C system in order to identify any areas of 
disproportionate risk for initial flight. The eventual scope of the PRT assessment encompasses 
the GN&C algorithms, software, avionics, control effectors, applicable models, and testing. The 
initial (phase 1) focus of the PRT was on the GN&C algorithms and the Flight Control Actuation 
Subsystem (FCAS). The PRT held meetings during its phase 1 assessment at X-33 assembly 
facilities in Palmdale, California on May 17-18, 2000 and at Honeywell facilities in Tempe, 
Arizona on June 7, 2000. The purpose of these meetings was for the PRT members to get 
background briefings on the X-33 vehicle and for the PRT team to be briefed on the design basis 
and current status of the X-33 GN&C algorithms as well as the FCAS. The following material is 
covered in this PRT phase 1 final report. 

• Some significant GN&C-related accomplishments by the X-33 development team are noted. 

• Some topics are identified that were found during phase 1 to require fuller consideration 
when the PRT reconvenes in the future. Some new recommendations by the PRT to the 
X-33 program will likely result from a thorough assessment of these subjects. 

• An initial list of recommendations from the PRT to the X-33 program is provided. These 
recommendations stem from topics that received adequate review by the PRT in phase 1 

• Significant technical observations by the PRT members as a result of the phase 1 meetings 
are detailed. (These are covered in an appendix.) 

There were many X-33 development team members who contributed to the technical 
information used by the PRT during the phase 1 assessment, who supported presentations to the 
PRT, and who helped to address the many questions posed by the PRT members at and after the 
phase 1 meetings. In all instances the interaction between the PRT and the X-33 development 
team members was cordial and very professional. The members of the PRT are grateful for the 
time and effort applied by all of these individuals and hope that the contents of this report will 
help to make the X-33 program a success. 

2. The Role of the X-33 GN&C PRT 

The X-33 program has been pursued in a cooperative agreement between NASA and 
Lockheed Martin to enable flight demonstration and evaluation of technologies that may be 
critical to the success of next generation, reusable, possibly single-stage-to-orbit launch vehicles. 
The X-33 vehicle is a one-of-a-kind sub-scale prototype that will fly a series of research and 
technology demonstration missions in high Mach conditions that provide aero-thermal stresses 
comparable to a vehicle capable of reaching orbit and returning. The X-33 vehicle assembly is 
already in process as are preparations for initial flight test operations. A robust and risk- 
mitigated implementation of the vehicle's GN&C system along with its proper integration with 
associated vehicle subsystems will be critical to the success of the flight test program. 

The X-33 GN&C system will enable fully autonomous flight, with command of the main 
propulsion system throttle and Thrust Vector Control (TVC), the FCAS electromechanical 
aerosurface actuators, as well as the Reaction Control System (RCS) thrusters to manage the 
mission profile. The GN&C system also interacts with all vehicle computers and avionics 
including the Embedded Global Positioning System (GPS)/inertial navigation system (EGI)- 
based navigation system. Any problems with the GN&C software, its avionics interfaces, or its 
functional integration with the other vehicle subsystems could have serious, adverse 



implications. Consequently, the X-33 GN&C and associated, interacting subsystems must be 
adequately validated, with identifiable issues resolved before first flight. 

Development of the X-33 GN&C system, the vehicle avionics, and the other major vehicle 
subsystems with which GN&C interacts has been accomplished by a variety of technical groups 
at Lockheed Martin, NASA, Honeywell (formerly AlliedSignal), Boeing Rocketdyne, and other 
contractors. Each of these groups has focussed primarily on successful completion of their own 
subsystem development. While some integrated testing of critical subsystems has begun, much 
remains to be performed and screened against requirements before committing the X-33 to initial 
flight. 

Use of the PRT to scrutinize the integrated X-33 GN&C system design, its implemented 
performance, and its expected operations in conjunction with other key systems can help to 
identify areas with disproportionate design risks. Identification of design features with 
disproportion risk enables those areas to subsequently receive more attention while the vehicle 
undergoes integration and testing. The PRT can consult with managers and technical staff from 
the program and can advise them regarding definition of tests that help to clarify the nature of the 
design capabilities and operational risks. After assessment of results from those tests, the PRT 
can again consult with the managers and technical staff from the program to advise them of 
strategies to mitigate the identified risks. For these reasons, the PRT has been formed to 
scrutinize the X-33 GN&C-related design status and issues. 

The X-33 GN&C PRT will perform its work in two or more phases. The phase 1 assessment 
addressed in this report focussed primarily on vehicle GN&C algorithms and the FCAS. This 
phase of the PRT activity was accomplished in 7 weeks during May and June 2000. Much was 
accomplished by the PRT during phase 1 within the technical scope defined for that phase, but 
most of the follow-up interaction with the program development staff on issues identified during 
phase 1 was postponed until the PRT reconvenes at a later date. Consequently, the future PRT 
activities will involve assessment of the areas within the PRT purview that were not addressed 
during phase 1 as well as close-out of the issues that were identified during phase 1. 

The membership of the X-33 GN&C PRT is detailed section 3. The PRT phase 1 goals and 
design assessment process are summarized in section 4. Section 5 provides a summary of topics 
and presenters at the PRT phase 1 meetings. Some significant GN&C-related accomplishments 
by the X-33 development team that were noted by the PRT are identified in Section 6. Some 
GN&C-related topics that the PRT found to require future attention as a result of limited 
information obtained at the phase 1 meetings are detailed in Section 7. Section 8 provides an 
initial list of recommendations from the PRT to the X-33 program. Appendix A provides 
highlights of technical observations by the PRT members that were made during the phase 1 
meetings. Appendix B provides a list of acronyms used in this report along with their 
definitions. Note that more recommendations from the PRT to the X-33 program are likely after 
completion of a sufficiently thorough review of the topics detailed in Section 7. 

3. The X-33 GN&C PRT Membership 

Members of the X-33 GN&C PRT were selected to provide, in aggregate, the depth and 
breadth of expertise needed to address all the areas that will eventually be scrutinized by the 
PRT. Table 1 identifies these individuals. 


Table 1 - PRT Membership 


PRT Member 


Focus Area 


Affiliation 




Dr. Phil Hattis 

Team Lead 

Draper Laboratory 

Edward Bergmann 

Avionics and Navigation Systems 

Draper Laboratory 

Frank Kirby 

Propulsion 

Consultant 

Prof. Jason Speyer 

GN&C Algorithms 

University of 
California in Los 
Angeles 

Don Wilkerson 

Software Development Processes and Testing 

Consultant 

Jeffrey Zinchuk 

Avionics and Fault Tolerance 

Draper Laboratory 


4. X-33 GN&C PRT Phase 1 Goals and Design Assessment Process 

The focus of the X-33 GN&C PRT phase 1 activity was a review of GN&C algorithms and 
the FCAS. During phase 1, the PRT attempted to obtain sufficient insight into the GN&C 
algorithm and FCAS design and development status to enable identification of design 
implementation and development process issues that pose disproportionate risk to the success of 
the first X-33 flight. Based on this assessment, recommendations are made by the PRT in this 
report that the X-33 development team can implement to reduce the current GN&C algorithm 
and/or FCAS risks. 

The phase 1 effort included two meetings by the PRT with X-33 managers and developers. 
The initial PRT meeting was held at the X-33 facilities in Palmdale, California on May 17-18, 
2000. The purpose of the initial meeting was both to brief in the PRT members to the X-33 
program and to provide an initial look at the X-33 GN&C algorithms’ design criteria, 
development process, and implementation status. The second meeting was held at Honeywell 
facilities in Tempe, Arizona on June 7, 2000. The purpose of the second meeting was to take a 
look at the FCAS design criteria, implementation status, and stand-alone ground test results. 
Following these meetings, the PRT formulated an initial list of recommendations (see Section 8) 
and identified a variety of topics that the PRT deemed to require additional information and/or 
further assessment to attain adequate design insight which may in turn result in some additional 
recommendations (see Section 7). 

5. Topics and Presenters at the Phase 1 PRT Meetings 

Table 2 provides the subjects of all the presentations made at the May 17-18, 2000 X-33 
GN&C PRT meetings in Palmdale, California along with the presenters' names and the 
presenters' affiliations. 


Table 2 - May 2000 PRT Meeting Topics and Presenters 


Subject 

Presenter 

Affiliation 

• Introductory Briefing for the X-33 
GN&C PRT 

Phil Hattis 

Draper Laboratory /PRT 

• X-33 Program Review 

Paul Landry 

Lockheed Martin Palmdale 

• X-33 GN&C Background 

Hussein Youssef 

Lockheed Martin Palmdale 

• Guidance and Control Interface 

• Ascent Guidance 

Dan Coughlin 

NASA Marshall Space 
Flight Center (MSFC) 

• Entry Guidance 

• X-33 Power-Pack Out Abort 
Trajectory Design and Performance 
Manager Algorithms 

John Hanson 

NASA MSFC 





• Engine Clipping Logic 

Marc Bouffard 

Boeing Rocketdyne 

• Ascent Flight Control 

Charles Hall 

NASA MSFC 

• Ascent Airdata Augmentation 

• Reconfigurable Control 

Howard Lee 

Lockheed Martin Palmdale 

• Transition/Entry Flight Control 

• Jet Selection Logic 

Kerry Funston 

H 

NASA MSFC 

• Terminal Area Energy Management 
(TAEM) Approach & Landing 
Guidance and Flight Control 

Lee Olson 

Lockheed Martin Houston 

• Navigation Processing 

Rich Abbott 

Lockheed Martin Palmdale 

• Propellant Utilization System 

Barry Cantin 

Lockheed Martin Michoud 

• System and Software Architecture 

Curtis Reichenfeld 

Honeywell 


Table 3 provides the subjects of all the presentations made at the June 7, 2000 X-33 GN&C 
PRT meetings in Tempe, Arizona along with the presenters' names and the presenters' 
affiliations. 


Table 3 - June 2000 PRT Meeting Topics and Presenters 


Subject 

Presenter 

Affiliation 

• Introduction to FCAS 

• FCAS Requirement Compliance 

• FCAS Testing 

Casey Hanlon 

Honeywell 

• FCAS Overview 

• FCAS Requirements Compliance 

• FCAS Testing 

Jim Kern 

Honeywell 

• FCAS Requirements 

• Component Capabilities and History 

Richard Larsen 

Honeywell 

• Dynamic Simulation and Design 
Analysis 

Paul Evans 

Honeywell 

• Control Loop Design 

• Controller Hardware Implementation 
of Analytical Design 

• Vehicle Management Computer 
(VMC)-FCAS Controller Latency 

• FCAS Software 

Ed Johnson 

Honeywell 


6. Some Significant X-33 Program GN&C-Related Accomplishments 

The goals of the PRT were to identify aspects of the design of X-33 GN&C-related 
subsystems that had disproportionate risk and to make recommendations regarding how to 
mitigate that risk. However, in the course of doing its phase 1 assessment, the PRT also 
developed some very favorable impressions. The following subsections identify PRT 
observations about the high quality of X-33 development team members and some of the 
significant GN&C-related development accomplishments to date on the program. Quality of 
Development Team PersonnelThe technical caliber and level of expertise of individual GN&C- 
related subsystem developers was very high. 

















6.1.1 The degree of individual cooperation among the X-33 program developers was excellent. 

They had a strong spirit of teamwork and commitment to the program. 

6.1.2 The level of algorithm and software design aptitude prevalent among the development 

staff is more than adequate to meet the X-33 vehicle GN&C-related application 
challenges. 

6. 1 .3 At this stage of the program, despite recent reductions in the program's level of effort, the 

amount of informal technical communication flow among individual team members 
involved in GN&C algorithm and FCAS development is quite good. 

6.2 Quality and Quantity of Work Accomplished 

6.2.1 The design of this complex vehicle was done with the cooperation of many companies in 

a very short time. In order to accomplish this task, many of the subsystem designs had 
to rely on internal information and redundancy to achieve the failure tolerance, 
performance, and reliability goals. This was accomplished by each of the subsystem 
teams with which the PRT interacted. Although this design approach may have added to 
the vehicle weight and power consumption, it substantially reduced the level of effort 
required for the software development, integration, and validation. It was the best 
approach for this X-vehicle design 

6.2.2 The current GN&C-related avionics architecture and design generally seem sound and 

conservative. The avionics development is nearly complete, and most of the hardware is 
ready for use in the final vehicle assembly. 

6.2.3 The GN&C algorithm and software architecture also seems generally sound and 

conservative. There is a nearly complete implementation of flight code with much of 
the developmental testing at the software component level already complete. 

6.2.4 The FCAS development team has produced a complete, self-sufficient subsystem design 

an d has done testing with power sources similar to what will be on the X-33. This 
development effort seems to have proceeded very well. The actuators appear to be 
nearly ready for flight. 

6.3 Some Other GN&C-Related Accomplishments 

6.3.1 The program implemented GN&C-related Interface Control Documents (ICDs) very 

early and used this mechanism to define, track, and manage the interfaces, 
implementation, and derived requirements for each of the subsystems. 

6.3.2 The program had a Configuration Control Board (CCB) in place early that handled many 

of the GN&C-related system issues. This CCB reviewed proposed changes and tracked 
the impact of approved changes. 

6.3.3 The program has applied a requirements management tool, the Dynamic Object Oriented 

Requirements System (DOORS), that facilitates GN&C-related requirements 
traceability. 

7. Some GN&C-Related Topics Requiring Further Attention 

During the phase 1 PRT efforts, some topics were identified that required additional 
information to enable completion of a satisfactory assessment, but that information could not be 
obtained within the phase 1 period of performance to enable close out of the topics. These topics 
are identified in Section 7.1. Also, the PRT identified other topics that require attention but 
which were outside of the phase 1 review scope. These topics are identified in Section 7.2. All 
the topics in Sections 7.1 and 7.2 should be addressed before the PRT completes its full review 
of the integrated X-33 GN&C system and are listed here to assure that they are known and 



properly addressed when the PRT reconvenes. Note, however, the topics listed in this section do 
not necessarily constitute a comprehensive list of areas that must be addressed by the PRT to 
complete its intended integrated GN&C system review scope. Also, no priority is implied by the 
order in which the topics are listed. 

It is important that the X-33 program developers and managers understand that 
recommendations by the PRT to the X-33 program that are not already provided in Section 8 
may result following assessment of the areas identified in this section. 

7. 1 Topics Within the PRT Phase 1 Scope that Require Further Scrutiny 

7 . 1. 1 GN&C Algorithm Requirements 

7. 1.1.1 Ambiguous or Vague Requirements. The PRT found some of the GN&C algorithm 

design requirements to be ambiguous or vague, complicating algorithm testing and 
creating a risk of design misunderstandings across the X-33 development team. Any 
program plans to identify and definitize ambiguous or vague requirements should be 
reviewed for completeness. A trace of the GN&C algorithm requirements to the 
subsystem features that implemented the requirements and identification of the 
processes intended to validate the requirements would be of interest to the PRT to help 
to address this issue. The same information may also be an effective tool for 
developers to isolate the requirements that remain ambiguous or vague. 

7. 1.1.2 Power-Related FCAS Controller Design Constraints. Review is needed of the specific 

power system constraints that motivated flow-down or associated developer-derived 
FCAS controller design requirements. The PRT noted that Honeywell had applied low 
voltage operation derived requirements to the FCAS based on technical issues raised 
by other vehicle development team members that are not formally documented by the 
program. This made it apparent that the completeness of the documentation of the 
power system-derived design constraints and the origin and rationale of those 
constraints needs review. An assessment is also needed of plans to test the flowed- 
down and developer-derived requirements resulting from the power system 
constraints. 

7. 1.1.3 Failure Tolerance Requirements. The vehicle tolerance requirements for GN&C-related 

subsystem failures should be reviewed along with the criteria for selecting these 
requirements. This issue results from PRT observation that a variety of different 
redundancy strategies are used on the vehicle GN&C-related subsystems (e g., fully 
redundant FCAS motor controllers vs. use of RCS thruster authority overlap for 
functional redundancy). The actual failure tolerance requirements and the intent of 
those requirements must be fully understood prior to determining whether each of the 
GN&C-related subsystems actually meets those requirements. 

7 . 1.2 GN&C Algorithm Design 

7. 1.2.1 Flight Phase Sequencer. Additional details are needed of the flight phase sequencer logic 

to enable addressing how it handles reconfiguration requirements and how it 
accommodates aborts. 

7. 1.2.2 GN&C Features to Accommodate Main Engine and TVC/Thrust Lever Control (TLC) 

Dynamics. A review is needed of the GN&C algorithm features that are included to 
accommodate the ascent main engine and TVC/TLC dynamics under nominal, 
dispersed, and Power Pack Out (PPO) flight conditions. Control law treatment of any 
significant nonlinear engine and TVC/TLC effects and associated analysis of expected 
closed-loop response should be part of the review. 



7. 1.2.3 RCS Thruster Selection Criteria. The briefings to the PRT indicated that the entry RCS 

thruster selection is based on flight-specific thruster selection tables. The basis for 
generating the tabulated thruster selections and for determining the robustness of the 
control system response resulting from the flight-specific tabulated selections should 
be scrutinized. 

7. 1.2.4 First-Flight, Non-Intended Code Paths. The GN&C algorithm briefings to the PRT 

during phase 1 indicated that the first X-33 flight will have algorithm features in the 
flight software load that are not expected to be used. The PRT is seeking clarification 
of how testing will verify that non-intended code paths are avoided in the initial flight. 
Also, clarification is sought regarding how integrated testing plans will focus on the 
required first flight capability. 

7. 1.2.5 Ascent Lift Management. Use of vehicle lift during ascent can affect guidance. 

Clarification is sought about how vehicle lift is managed and/or applied during ascent. 

7. 1.2.6 Mission Manager Role with the Performance Manager. Because the performance 

manager operates in the mission manager processor, an assessment of the mission 
manager and how it executes the performance manager is needed, including mission 
manager processing throughput and timing considerations when the performance 
manager is active. 

7. 1.2.7 Landing Gear Braking. Insight is needed regarding whether main landing gear braking is 

disabled until after nose gear touchdown is confirmed. 

7. 1.2.8 PPO-Induced Guidance I-loads. Clarification is sought regarding whether PPO-induced 

guidance update I-loads define a new reference trajectory or reference vehicle attitude 
history. 

7. 1.2.9 Control Effector Mixing and Stability. The FCAS effectors are blended with the 

TVC/TLC system during ascent and with the RCS thrusters during entry to achieve 
vehicle control. A review is needed of how the control laws accommodate the 
dissimilar character of the effectors and how stable interaction of the effectors is 
assured during nominal, dispersed, and anomalous flight conditions. 

7. 1. 3 GN&C Algorithm-Derived Flight Software 

7. 1.3.1 1-Load Validation Plan. Details are needed regarding how I-loads will be validated and 
how I-loads will be re-validated after changes are made. Also, responsibility 
assignments should be identified regarding formulation of I-load test criteria and 
definition of integrated tests (with dispersions and faults) to verify I-loads. 

7. 1.3.2 Basis for the Ascent Mixing Gains. A review is needed of ascent mixing gain selection 

criteria (This assessment activity should be done subsequent to the review discussed in 
item 7. 1.2.9). 

7. 1.3.3 Software Responsibilities. Program responsibility assignments for evaluating and testing 

the GN&C response under the range of possible control effector failure conditions and 
the applicable test plans need to be reviewed to verify comprehensive coverage. (This 
issue arose when it became apparent that failed aerosurface scenarios are not being 
evaluated by developers of the entry control algorithm.) 

7. 1. 4 GN&C Algorithm Performance 

7. 1.4.1 GN&C Robustness with Faults. An overview is sought that addresses GN&C fault 
tolerance and GN&C robustness in the presence of vehicle faults. As part of this 
action item, faults to which the GN&C system is required to be tolerant should be 
identified. Flush-mounted Air Data Sensors (FADS) Dynamic Pressure and Airspeed 



Measurement Accuracy. The expected accuracy of the FADS-derived firee-stream- 
relative dynamic pressure and airspeed measurements on the initial X-33 flight should 
be addressed along with the impact of the expected uncertainties in these air-relative 
state measurements on the performance of the TAEM Guidance and Control (G&C) 

loop. . 

7. 1.4.2 Center of Mass (CM) Measurement Accuracy. The accuracy of the CM estimation by the 

Vehicle Propellant Manager (VPM) and the impact of resulting uncertainty on the 
accuracy of the EGI -derived navigation states should be reviewed. 

7. 1.4.3 Accuracy of Navigation States Derived Outside the EGI. A summary is needed of the 

navigation states that are generated by the EGI but are also derived outside the EGI 
because they are not output from the EGI to the Flight Manager (FM). The resulting 
differences in the accuracy between the EGI-derived and FM derived versions of these 
states should be assessed along with the impact on G&C performance of any loss of 
accuracy of the FM version of these states. 

7. 1.4.4 Effect of PPO-Related Reconfiguration Delays. An assessment is needed of the 

consequences of the PPO-related reconfiguration delays on vehicle response in 
negative post-PPO control regimes. Assurance is needed that no catastrophic vehicle 
flight path divergence can result. 

7.1.5 FCAS . 

7. 1.5.1 Pneumatic Load Assist Device (PLAD) Current Averaging. The suitability and 

correctness of the current "averaging" scheme used to activate the PLAD needs to be 
addressed. 

7. 1.5.2 Open-Failed PLAD Valve Likelihood and Consequences. Information is needed 

regarding the likelihood of an open-failed PLAD vent valve. 

7. 1.5.3 FCAS Effector Failure Response Lag Effects. The effects of the latency in FCAS 

effector failure detection and reconfigured backup channel initial response need to be 
addressed under worst case aerosurface failure conditions (with worst case determined 
by greatest potential for inducing vehicle flight divergence). Account should be made 
for the detectability and response lags associated with intermittent as well as hard 
failures. 

7. 1.5.4 Load Effects on Electromechanical Actuator (EMA) Frequency Response. The effects of 

loads on the EMA frequency response and the impact of any response changes on 
control loop stability need to be screened, including how these effects (if significant) 
have been factored into the FCAS design. 

7. 1.5.5 EMA Duty Cycle Demands and Capabilities. A summary is needed of how the 

maximum expected in-flight duty cycle rates of the EMAs relate to the EMA 
operational capabilities. 

7. 1.5.6 Dual PLAD Operation Effects. All ground tests of the PLAD that were addressed in the 

June 2000 PRT meeting involved a single system. A review is needed of any analysis 
that indicates what changes in PLAD response will result from feeding two flight 
PLADs off the single pressurized gas supply. 

7. 1.5. 7 Reduced Voltage Response. A review is needed of the expected FCAS control loop 

response when the low voltage operational mode is invoked. 

7. 1.5.8 Planned FCAS Failure Scenarios for Closed-Loop Tests. The scope of FCAS failure test 

cases to be run in combination with the closed-loop GN&C system needs to be 
summarized and reviewed to assure that plausible high-stress cases are covered. 



7. 1.5.9 Common Mode Failure Scenarios. Insight is needed regarding what sources of common 

mode failures may exist for the FCAS primary and secondary actuator channels along 
with their likelihood. 

7.1.5.10 Command/ Actuator Spectral Response. FCAS hardware-in-the-loop (HWIL) test data 
presented to the PRT at the June 2000 meeting showed some spectral characteristics 
that warranted further scrutiny. Results of any spectral analysis of the FCAS 
command/actuator loop response and the explanations for resonance and or "beating" 
phenomena identified in the spectral response should be reviewed. 

7.1.5.11 FCAS EMA Dispersion Characteristics and Response. An assessment is needed of the 
basis for determining the expected FCAS EMA dispersions and the expected control 
response and stability margin effects due to those dispersions. A basis for constructing 
appropriate worst case stress tests should be addressed that does not put undue reliance 
on Monte Carlo testing. Included should be consideration of at least uncertainty in 
control effectiveness, EMA duty cycle effects, and power drain effects. 

7.1.5.12 Rate and Current Limit Change Safeguards. A feature exists to enable down load 
changes to the FCAS rate and current limits. A review is needed of how these limits 
are assigned and verified before first flight, as well as how the values in the software 
are safeguarded from in-VMC change during flight. 

7,2 Topics Outside the PRT Phase 1 Scope that Warrant Scrutiny 

7.2.1 GN&C Operations 

7.2. 1.1 Ground Intervention Strategy and Procedures. Scrutiny is needed of the criteria for 

ground intervention into GN&C during pre-launch and flight as well as the procedures 
for determining and accomplishing the ground intervention. Also, the information 
available to ground control personnel for making GN&C-related intervention decisions 
and the basis for assuring that the ground control personnel adequately understand that 
information should be reviewed. 

7.2. 1.2 Launch Restrictions. A listing is needed of GN&C-related launch restrictions to support 

a review of them. 

7.2. 1.3 GN&C Initialization. A review is needed of how GN&C initialization prior to launch 

will be accomplished and verified. 

7.2. 1.4 Pre-Flight Checkout. A review is needed of the scope and nature of GN&C-related 

subsystem pre-flight checkout that will be performed prior to first flight. 

7.2. 1.5 Abort and Flight Termination Criteria. An assessment is needed of the criteria used in 

software and at the ground operations facility for determining that an abort is 
appropriate and/or flight termination is necessary. Applicable on-board and ground 
response procedures also warrant scrutiny. 

7.2. 1.6 Post-Landing GN&C-Related Functions. A review is needed of the GN&C-related 

system operations that are required after landing, including the ground system linkages 
that are needed to enable those operations. Also, any on-board power requirements 
associated with post-landing GN&C-related operations should be addressed. 

7.2. 1.7 Initial Flight Certification. The process for certifying the GN&C-related systems are 

ready for flight should be screened including a review of how pre-flight testing results 
are factored into the certification process. 

7.2.2 Avionics 

7.2.2. 1 Power Requirements Analysis. A review is needed of the basis for sizing batteries and 
establishing their discharge requirements to assure that the GN&C avionics and 



associated control effector in-flight power needs are met. Nominal and peak current 
drain should be addressed as well as the allowable voltage fluctuations, expected depth 
of battery discharge, strategies for short-circuit protection, and charging/monitoring 
requirements. 

7.2. 2. 2 1553 Signal Traffic. An assessment is needed of the GN&C-related 1553 bus signal 

traffic for a nominal X-33 mission. This should include the list of 1553 data words 
to/from the bus remote terminals. 

7.2.2.3 Navigation Simulations. A review is needed of the implementation and results of the 

simulations involving the EGI and the use of differential GPS data. The EGI change 
history and current design verification process should be addressed. The means by 
which differential GPS is applied, the magnitude of differential GPS data update 
delays, the means by which differential GPS data update delays are accommodated, 
and how resulting navigation dispersions affect guidance should all be covered. The 
analysis and testing used to verify the GPS antenna coverage, satellite tracking, and 
satellite switching for scenarios applicable to the first X-33 flight should be included. 
Any identified issues or launch restrictions associated with limitations on satellite 
visibility by the antenna should also be covered. 

7.2.2 4 Processor Throughput. A review is needed of the predicted and measured throughput as 
well as memory loading of flight processors used by GN&C-related functions. This 
should cover flight manager/mission manager processors (in the vehicle management 
computers), data interface units, and engine manager (engine controller) processors. 
72.2.5 Environment Susceptibility. An assessment is needed of any analysis performed by the 
X-33 development team regarding the environment exposure envelope for all critical 
avionics packages and the susceptibility of each class of avionics box to adverse 
effects due to the environment. This should cover avionics directly related to GN&C 
data processing as well as controllers for the main engines and the FCAS actuators. 

7.2.2 6 Grounding Strategy, Static Discharge Consequences, and Electromagnetic Interference 

(EMI) Effects. The effectiveness of the vehicle's electrical grounding strategy, the 
potential for static discharge, and the possible effects of static discharge on the 
avionics should be reviewed. Also, the level of vehicle screening for EMI sources and 
the degree of avionics protection from EMI effects should be addressed. 

7. 2.2.1 Component Fault Detection Process. An assessment is needed of the algorithmic criteria 

for identification of GN&C-related avionics component faults. This should include 
strategies to detect intermittent failures as well as "steady" (continuously observable) 
failures. 

7.2.2.$ HWIL Stress Tests. Plans for GN&C-related subsystem HWIL stress tests need to be 
reviewed. This review should address at least the following areas: 

The subsystem and associated Integrated Test Facility (ITF) test procedures, 
providing information necessary to determine what has not been verified at the 
subsystem level and what must be verified at the ITF HWIL level. 

Identification of the most stressful test cases that result from plausible dispersion 
and or failure effects. Definition of these cases should include consideration of 
the effects of partial power system failures and/or 1553 bus anomalies. 

7.2.3 Propulsion 

7.2.3. 1 Main Engine Models and Dynamics including TVC, TLC, and PPO. The GN&C system 

must accommodate the main engine thrust dynamics including PPO scenarios for 



which there are a variety of special GN&C algorithm features. The following items 
need to be reviewed to be sure they are properly accommodated in the GN&C 
algorithms: 

Main engine thrust vs. time during throttle up or down from an operating point. 
Main engine thrust vs. time for nominal operations and PPO engine shutdown 
(including shutdown thrust vs. time as a function of engine power level prior to 
shutdown). 

The ascent main engine interaction with the airflow around the vehicle with 
respect to its effect on the vehicle’s aerodynamics. A review of the 
engine/aerodynamics interaction model is needed that addresses the effect of the 
engine plume on aerodynamics as a function of atmospheric condition, flight 
state, throttle setting, and TVC/TLC usage including uncertainty effects. If the 
aerodynamic effect of the engine plume is sensitive to aerosurface positions, then 
the nature of those effects should also be covered. 

The models and model uncertainties of the expected torque resulting from TVC 
and TLC under nominal and PPO flight conditions. Included should be 
information about how the models and uncertainties change as a function of 
vehicle Mach number, dynamic pressure (Q), angle of attack (a), and side slip 

(P). 

Main engine operating conditions and propellant flow rates for nominal and PPO 
scenarios as a function of throttle and TVC/TLC settings (including variations 
between left and right engine response for nominal flight due to TVC/TLC). 

PPO response event sequence and timeline, the models of these events, the 
expected quality of these models, as well as the implication of PPO on vehicle 
dynamics (including possible transient disturbance rates on the vehicle). 

The process for validating the accuracy of the propulsion dynamics models 
including TVC/TLC effects. 

7 . 23.2 RCS Performance and Reconfiguration. There are many aspects of vehicle flight control 
that depend on detailed knowledge of the RCS system response characteristics. 
Assessment is needed of the following items to assure that they have been properly 
accommodated: 

The expected RCS on/off response times, latencies, and impulse characteristics. 
Sources and magnitudes of jet thrust variations. 

Operation/interaction with the jet exciter. 

Failure modes, failure detection strategies, as well as failure override logic 
including the override logic interaction with the Vehicle Subsystem Manager 
(VSM). 

The status and resolution plan of the currently unsatisfied requirement to be able 
to fire five RCS jets simultaneously. 

7 2.3.3 Engine and TVC/TLC error effects. A review is needed of the TVC/TLC models, their 
uncertainties, and the effects of those errors on GN&C including a discussion of the 
GN&C robustness provided to accommodate those errors. 

7.2.3.4 Main Engine Control. Scrutiny is needed of the control algorithms. Redundancy 
Management (RM), and associated command latency (under nominal and fault 
conditions) for the main engines. Included should be information regarding what 
computers manage PPO execution, associated valve control/reconfiguration, and 


TVC/TLC valve management. The review should also cover how the design blocks 
any path by which main engine propellant crossfeed valves can be improperly 
configured without an actual PPO. 

7.2 3.5 Propellant Depletion Detection. A review is needed of the main engine propellant 
depletion detection strategy, the depletion detection cross check, as well as the 
associated RM strategy. Also the criteria for selecting the location of the liquid 
oxygen depletion sensor package including the role that the propulsion contractor had 
in placing that sensor package should be covered. 

7.2.3 6 PPO Thrust Imbalance. The magnitude of engine thrust imbalance due to asymmetric gas 
generator flow under PPO flight conditions should be assessed and the status of 
models of this effect in the simulations should be addressed. 

7.2.3 7 TVC/TLC Limits. A review is needed of whether there are any time limits for holding 

the TVC/TLC at or near +/- 15%, or any other engine constraint-related restrictions on 
the TVC/TLC usage. Treatment of any such constraints in the GN&C algorithms 
should also be covered. 

7.2.3.8 Pressure Sensor Failure Modes. Possible failure modes of the propellant utilization 
pressure sensor(s), and their likelihood, should be reviewed. 

7. 2. 4 GN&C-Related Software and Associated Testing 

7.2.4. 1 End-to-End Flight Test Plan. An assessment is needed of the X-33 program's end-to-end- 

flight GN&C testing plans and the means by which those plans will be accomplished. 
This should encompass nominal, dispersion, and inserted-fault tests. There should be 
consideration of the means by which the envelope of vehicle capability will be 
determined. Also, plans should be addressed regarding intended flight-test signature 
simulations against which actual flight test results can be compared. 

7.2.4.2 GN&C-Related RM. A review is needed of the GN&C-related RM requirements and 

implementation to assure adequacy and uniformity of RM across the GN&C-related 
subsystems. This should cover at least the following areas: 

Guidelines on how to detect and handle failures for each GN&C-related 
subsystem. 

The fault handling logic for each GN&C-related subsystem. 

Methods for handling both hard and intermittent failures. 

Strategies for differentiating between actual subsystem failures and sensor 
failures. 

How subsystem Built in Test (BIT) data is applied. 

7.2.4.3 Software Development/Testing Processes and Exception Handling. A review is needed 

of the GN&C flight software development and testing processes and the exception 
handling to be applied in the flight processors executing GN&C-related software. 

7.2.4 4 Stability and Dispersion Analysis. The GN&C algorithm developers that briefed the PRT 
indicated that much work remains to be done on GN&C stability and dispersion 
analysis. When this work is more complete, there should be a review that addresses 
the process and results of GN&C stability and dispersion analysis for each flight phase 
including account for how significant nonlinear effects have been treated. The use of 
frequency domain and time domain analysis should be addressed as well as how the 
results of these two analysis strategies are compared. The applicability of any stability 
analysis that preceded completion of the final design versions of the algorithms should 
also be addressed. Of particular interest are measures of remaining margins under 



stress test cases. Also of special interest is the response of the vehicle under dispersed 
conditions in PPO-flight-induced negative control regions (to assure there is no 
catastrophic flight path divergence). 

7.2.4.5 Software Development Metrics Review. Metrics of GN&C software development and 

associated error rates need to be reviewed to assess the health of the software 
development process and the software integration process. Included in the metrics 
should be the number and types of errors found in each phase of the development and 
testing as well as a categorization of errors by major cause (e g., requirements 
misunderstanding, design error caused by [reason], coding error, test data error, etc.). 

7.2.4. 6 Implemented VMC Software Responsibility. In the May 2000 PRT meeting it became 

apparent that at least two different companies have been generating software to 
execute on processors sharing the same back plane within the VMC. A review of the 
final division of the associated software development and the assigned testing 
responsibility is needed as well as a discussion of how compatibility of all resulting 
object code has been assured. 

7.2.4.7 Software Maintenance. A review is needed of the processes applied to establish 

controlled records of the GN&C software design criteria and to assure maintainability 
of the GN&C software as well its development and test environment throughout the 
vehicle design, development, and initial flight test operations. This should include 
discussion of the GN&C software configuration management plan and 
implementation. 

7.2. 4.8 Integrated Test Plans. A review is needed of the status of the GN&C integration test plan 

and intentions regarding formalization and standardization of the applicable suite of 
test cases. 

7.2.4.9 Navigation Data Source Selection. An assessment is needed of any possible adverse 

consequences of each VMC doing its own navigation package data source selection. 
Relevant information includes: 

Values, limits, and thresholds used on navigation package pair-wise comparisons. 
The expected trends in output navigation state deviations between VMCs if not all 
VMCs are able to read all navigation packages. 

The basis for VMC comparison of output navigation state data. 

7.2.4. 10 Voted VMC Data. VMC cross channel data link voted variables should be scrutinized. 
Both the data words that are voted and the associated thresholds used to detect failures 
should be addressed. 

7.2.4.11 Software parameter Input Management. A review is needed of the process for 
managing assignment of flight software parameters before and during an X-33 flight. 
This should address the means for verifying the parameter default load, the process for 
updating the flight parameters, and the means applied to control access to the on-board 
flight parameter data. 

7.2.4.12 ITF Use to Verify FCAS. A review is needed of how the ITF will be used to verify 
FCAS load predictions, control margins, and expected PLAD gas usage. 

7.2.5 General Model and GN&C-Related Subjects 

7.2.5. 1 Requirements Traceability and Verification. How the X-33 program will assure GN&C- 
related design requirements traceability to all applicable system and subsystem levels 
and will systematically verify those requirements should be addressed. 



12 . 5.2 Tracking of Derived Requirements. Many derived requirements have been applied in the 

development of GN&C-related subsystems to assure acceptable performance and to 
follow sound engineering practices. A review is needed of the process by which these 
derived requirements are documented and tracked from the subsystem development 
level to the integrated-GN&C system and vehicle level. 

7.2.5.3 Listing and Status of Models Used in GN&C-Related Simulations. A list of 
environment, vehicle dynamics, and component performance and response models 
used in major GN&C development simulations and the ITF should be generated for 
review. The list should also address the sources of the models and the means of 
validation of the models. This will enable an assessment of the adequacy of the 
models used for design development and testing as well as the completeness of 
modeled features. 

7.2 5.4 GN&C Development Records. A list of any documentation that provides a record of the 

GN&C development status, associated reviews, identified issues, and resulting change 
history should be prepared to facilitate identification of items warranting scrutiny. 

7.2.5 5 GN&C-Related Documentation Tree. A listing of X-33 GN&C-related documentation 
tree is needed. This should cover applicable GN&C-related subsystem hardware and 
software documentation. In the case of the software it should be from the Software 
Development Plan (SDP) level down. 

7.2.5 6 Applicable SDPs. Material reviewed by the PRT seemed to indicate that there are two 
SDPs associated with GN&C-related system development (documents 604D003 and 
604D0029). Clarification is needed on the role of each of these documents, and their 
precedence if there is any technical overlap. 

72 . 5.7 Touchdown Detection. Relevant design information is needed to assess what is done to 
make vehicle touchdown and nose-down detection reliable. 

7.2.5. 8 Failure Management and Effects Analysis (FMEA). An assessment is needed of the X- 

33 program plan for FMEA, the status of that work, and significant FMEA-related 
conclusions that have been made. Special attention should be provided to FMEA 
results for components whose failures can affect multiple components of other 
subsystems (e g., power system component failure effects on the FCAS). 

7.2.5.9 Landing Gear Lateral Loads. An assessment is needed of what has been done to evaluate 

and determine the acceptability of lateral loads on the landing gear under cross wind 
conditions. 

7.2.5. 10 First Flight System Capabilities, Expectations, and Margins. To help the PRT evaluate 
validation and verification plans prior to first flight, a review is needed of the expected 
vehicle GN&C-related capabilities, those capabilities that will be exercised on the first 
flight, and the applicable design margins. 

7.2.5. 1 1 Design to Reliability Requirements. The apportionment of reliability requirements to 
subsystems and the plans to test satisfaction of the apportioned requirements should be 
scrutinized to assure that the integrated vehicle will meet overall system reliability 
requirements. 

7.2.5.12 Tracking of Reliability and Limits Issues. A review is needed of the process with 
which component/subsystem reliability and operational limits issues that are identified 
by subsystem developers are tracked throughout the vehicle development program. 



7.2.5.13 Performance Testing Methods. An assessment is needed of the vehicle performance 
characteristics that can be evaluated on the ground before the initial flight vs. 
performance characteristics that must be evaluated during flight. 

8. Initial PRT Recommendations to the X-33 Program 

The following items are the initial recommendations from the PRT to the X-33 program that 
address areas in which the PRT obtained enough information during phase 1 to draw specific 
conclusions. Eventually more PRT recommendations regarding the X-33 development process 
and design are likely since during phase 1 of the PRT assessment there was insufficient 
information in some areas to draw specific conclusions and some other areas of concern to the 
PRT were not addressed at all. There is no priority associated with the order of this 
recommendation list. 

8. 1 GN&C Algorithm Requirements Definition and Design Implementation 

8.1.1 Clarifying Ambiguous or Vague Requirements. All system and subsystem level 

specifications should be scrutinized for ambiguous or vague requirements. Clarification 
of those requirements should be provided to assure that they are testable. 

8.1.2 VPM Adequacy. The suitability of the adaptation of the VPM from an expendable, 

cylindrical rocket stage propellant management system to a VPM on a reusable vehicle 
with complex tank geometry needs to be carefully scrutinized given the criticality of 
X-33 propellant depletion during ascent to successful vehicle return. Also, the RM 
strategy needs to be reevaluated to assure that its failure detection coverage is sufficient. 

8.2 Documentation and Knowledge Capture 

8.2.1 Design and Implementation Knowledge Capture. Given the possibility of a hiatus in the 

GN&C software development cycle, and the possible loss of many key developers 
before the work resumes, the program must develop a plan to capture critical design 
criteria and implementation strategy information. 

8.2.2 Developer-Derived Requirements Capture. All requirements applied during algorithm 

development should be captured in testing whether they are flowed down from the 
higher-level program requirements or are developer derived. Developer-derived 
requirements should also be consistently documented including motivation for their 
inclusion. In any instance that derived requirements within a subsystem could impact 
design requirements in other vehicle subsystems, they should be flowed up to the vehicle 
requirements level and flowed back down to the other affected subsystems. A program- 
wide requirements management process update seems necessary to assure consistent and 
proper treatment of all developer-derived design requirements. 

8.2.3 Consistent Technical Information Record Keeping. The vehicle integration contractor 

should consistently apply configuration management/record keeping to critical technical 
information in the X-33 program. At least the following areas should be covered: 

Downward-flowed requirements (which the program already properly addresses). 
Upward-flowed GN&C design criteria and requirements that have been or should 
be exchanged between program contractors and development teams. 

Subsystem contractor critical development and design documentation. 

Deliverable software configurations. 

Supporting development and test tools. 

Final test data and test results. 



8.2.4 Subsystem Documentation. The program should assure archival control and future 
access to all subsystem design and development documentation. 

8 . 3 GN&C-Related Software and Models 

8.3.1 Software Maintainability. The program should address the maintainability of the 

simulation and flight software development environment, source code languages, as well 
as the source code. Contributing factors to concerns in this area are the variety of 
participating contractors, differences in algorithm and software development 
methodologies employed across contractors, limited documentation in some areas, and 
turnover in staff as the program goes through a reduced level-of-effort phase. A plan 
should be put in place to assure that all critical software components (in flight code, 
development, and testing tools) are sufficiently well documented to enable development 
work to continue even if any key individual developer becomes unavailable to the X-33 
program. Attention should also be given to the viability of continued use of Fortran 
development tools. 

8.3.2 Model and Software Verification. All simulation model and utility software should be 

verified without reliance on use of flight software components. 

8.3.3 Algorithm Peer Reviews. The X-33 program should assure completion of peer reviews 

of all GN&C-related algorithm designs before the final flight code implementation is 
completed. It would have been best if the peer review process had been accomplished 
prior to initial delivery of the algorithms to coders. However, up to now the peer review 
process has not been applied consistently by all the subsystem developers. This 
increases the demand for error detection during testing, implies a longer integration 
testing cycle, and increases the probability of errors in the delivered flight software. To 
limit these issues and risks, the program needs to establish a review process that verifies 
that the design intent for all algorithms was properly formulated and correctly 
transmitted to as well as understood by flight code developers in cases where peer 
reviews were not already done. A process must also be put in place to enable revision of 
the algorithms and resulting flight code when new peer reviews find design intent errors. 

8.3.4 C++ Language Implementation Ambiguities. The C++ language that is being used for 

part of the X-33 GN&C-related software development has a degree of ambiguity that 
requires extensive user experience to fully anticipate. Subtle source code language 
usage changes can significantly alter object code response. The development team 
should be cognizant of the impacts of that ambiguity which may not become fully 
apparent until integrated flight software testing is underway. Adequate time and 
resources should be provided to support associated implementation problem resolution 
when integration and checkout of the software developed in the C++ language with the 
rest of the flight software is accomplished. 

8.3.5 Lead Software Engineer. Because the software work related to the X-33 GN&C involves 

numerous organizations and poses many integration challenges, the X-33 program 
should consider having a lead engineer dedicated exclusively to addressing top-level 
GN&C software issues across all GN&C-related subsystems. This person would be the 
focal point for overseeing the coordination of all the applicable software design, 
integration, testing, delivery, and sustaining engineering functions. The role of this 
individual would be to provide a clear path of technical responsibility for the overall 
implementation and function of the vehicle software, but this individual's activity would 



be in coordination with the continued work performed by lead software engineers within 
the development organization of each subsystem. 

8.4 GN&C-Related Analysis and Testing 

8.4. 1 GN&C Algorithm and FCAS Stress Test Cases. The X-33 program should come up with 

means to define priority GN&C algorithm and FCAS stress test cases in order to 
understand GN&C stability properties without excessive reliance on extremely 
numerous Monte-Carlo tests. Also consistent approaches to GN&C algorithm and 
FCAS stability assessment should be formulated and uniformly applied throughout the 
development process. Consistent approaches to stability analysis are necessary to avoid 
stability screening lapses when developers of specific algorithms or FCAS control 
features change and/or when knowledge of specific algorithm or FCAS design criteria is 
lost during program extensions (despite best efforts to retain that knowledge). 

8.4.2 GN&C Test Suite Definition. The test suite for GN&C algorithms and associated 

software needs complete definition and should be kept under configuration control. 

8.4.3 Performance Manager Testing. The complexity, processing burden, and non- 

deterministic nature of the performance manager poses unique challenges in assuring 
robustness and sufficiently comprehensive testing. Special attention should be provided 
to addressing these performance manager issues, and careful review of the testing 
process and results should be assured. If use of the performance manager is not intended 
during the first flight, then it will be necessary to verify that the performance manager 
can not inadvertently impact the first-flight GN&C operations and performance. 

8.4.4 TVC/TLC Effects on PLAD Gas Usage. Because the FCAS is blended with the main 

engine TVC and TLC for ascent control, the effects on PLAD gas usage due to 
uncertainties in the TVC and TLC responses must be assessed. Failure to properly 
screen for these coupled system effects risks depletion of the PLAD gas supply during 
flight. 

8.4.5 Full-Up FCAS/Vehicle Testing. Full-up testing that addresses the real response and 

performance margins of the FCAS and PLAD systems within the complete GN&C 
(avionics and software) system and overall vehicle is needed to help validate the 
system's response and readiness for first flight. This may be best accomplished by using 
the actual flight vehicle as the "simulation" test platform. Tests should encompass 
FCAS failure detection and reconfiguration scenarios that are managed by software in 
the VMC. 

8.4.6 Flight Phase Change Response. A systematic evaluation should be performed of the 

acceptability of the GN&C response when the algorithms switch between flight phases. 
The flight phase switching response should be assessed for performance acceptability 
under nominal, dispersed, and most likely anomalous flight conditions. ITF test plans 
should explicitly address these algorithm evaluation requirements. 



